You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Here is the scenario. I have roughly 20 computers joined to a domain on a Windows 2003 R2 server running active directory. All computers other than the server are running XP pro. On 6 of the XP computers I have a special piece of software ex: ABC software. On those 6 computers the local user needs administrative privileges on 2 folders and a handful of registry keys. Can I make a group or group policy to allow administrative access to the required folders and registry keys on just those 6 machines. The folders and keys are identical on all machines. Right now the only two options I see are to go to each computer and add the permissions to each folder and key to the correct domain group, or run users as local machine administrators. Neither of these are desired solutions. Any help would be appreciated.

Brian

Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

That is actually the current configuration. We have problems with that from users adding / removing software. One user installed 3 antivirus programs side by side. Many of the machines end up with 4-8 toolbars in the web browsers. We'd like to lock down the workstations to maintain usability. Plus our share of malware issues increased after the admin privileges were given out of necessity for the software.

Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

Unfortunately due to policy I have to be generic here, but the software package in question needs full control on 2 directories Ex: C:\program files\dir1 and C:\program files\dir2 and 2 registry folders hkey local machine\software\program1 and hkey local machine\software\program2. I know that I can make a domain user group for this software, and add my users to it but I have to go to each machine with the software and change each of these folders or keys individually. I'd like to just make a group and somehow say that this group has permissions on *wildcardcomputername*\c:\program files\dir1 etc.

Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

I think perhaps I'm confusing you. I have the ability right now to go into both directories and registry keys and give permissions to the users/groups that I want to. The problem is that I have to go to computer 1 and add these permissions, then go to several other buildings to add the permissions to computers 2,3,4,5,and 6. I would like to either export the permissions from computer 1 and apply them via the domain to the other computers, or create some kind of GP or security policy that allows permissions to be applied to computers 1-6. This also ensures me that all 6 computers will have the exact same permissions for our software. The problem is that I don't see any way to apply permissions from the Domain Controller to the member computers local file systems. I can only give a group permissions to a server directory. The software has to be installed on each local computer. Does that make more sense?

Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

If I install the software in a directory on each computer called needadminrights, how can I tell the domain to give a user or user group access to c:\needadminrights\ on all 6 computers without going to each computer and adding the users to the needadminrights directory?

Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"

You will have to create the group on AD first. Then when you install the program to the designated folder (or just use the existing folders for that matter) you will have to set the folder(s) NTFS permissions to give the newly created AD group the proper level of (modify should be more than enough) rights. The same goes for the registry keys. You should be able to perform everything you need from the domain controller. RDP to the desktop and change the needed permissions on the folders and registry entries. Everything else will exist in AD on the domain controller. You can even push the software install from the DC if you wanted to.

Edited by Baltboy, 12 July 2011 - 10:14 AM.

Get your facts first, then you can distort them as you please.Mark Twain

I thank you for your assistance, I don't mean to sound unappreciative, but the core of my question is still unanswered. I do appreciate the point of using the RDP to access each machine from the Domain Controller so that I don't need to be physically at each machine. I'm perfectly familiar with applying the privileges in this manner using the domain groups. However, I still have to perform this configuration 6 different times via RDP? What I was really looking for is a way to say look all 6 computers have ABC software installed in c:\needadminrights\ or whatever. I was seeking if the domain offers the ability to just wildcard the computer name and issue permissions for any computer on the domain to have read/write/modify on the directory c:\needadminrights. I'm kind of thinking how windows logon scripts use wildcards like %localmachine%. Can I issue a command that grants a domain user group read/write/modify access to the c:\needadminrights directory of any domain computer. This way as we add the software to other computers, no additional permissions changes are required.

Thanks for all the time you've both put in.

Brian

Sincerely,

Brian

"Thanks to all of you who contribute to open source projects and communities!"